StevensNet.com

...Because someone's gotta tell the story...

Blogs

Tags

Detecting and disabling SMBv1

Thursday, May 11, 2017 in Technical Articles (Views:
1999)

Microsoft has recently issued a Security Update (4013389) for Windows SMB. This does affect all supported versions of Windows at this time.

SMB isn't safe, and causes you to lose some key protections, among them:Pre authentication integrity, which new in Windows 10/2016. It improved "man-in-the-middle" protection against attacks tampering with SMBv2's connections and authentication messages.Secure Dialect Negotiation, which is also new to SMBv3 to protect against man-in-the middle attacks to downgrade the negotiated capabilities between client and server.Encyption, which we all know what this is - in newer SMBv3.1.1, performance of encryption has continued to improve.Insecure guest auth blocking, again preventing man-in-the-middle attacks.Better message signing as SHA-256 replaces MD5 as the hashing algorythm.

It also provides significant improvements in performance to lose v1 for v3 such as larger reads/writes, peer caching / BranchCache capablities, and better handles (among other things).

First, allow me to deliver some bad news. SMBv1 is enabled by default and is still used in Server 2016, likely for compatibility reasons.

How do you detect or audit it? Very simple. For Windows 10 and Server 2016:
You can do this in PowerShell:Set-SmbServerConfiguration –AuditSmb1Access $true
...but we don't use 2016, we use an older OS on our servers...
Got you covered there too:

For Windows Vista/2008, Windows 7/2008 R2
You can check this registry key: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 for value 0 (which will be disabled, 1 is enabled)
There is a Key for SMBv2 as well, if you want to check this while you're at it.

For Windows 8 and Server 2012
This is a bit easier, you can use this PowerShell to detect it, maybe even put it into SCCM to see which systems may have SMBv1 enabled:

You can use the registry and set this value to 0: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMBv1 (1 is enabled)

I hope you found this article on how to detect and remediate SMBv1 to be informative and effective. Don't forget you can use things such as SCCM Compliance Settings to detect and remediate these items as well.